PF on router v2.0

Travis H. solinym at gmail.com
Thu Dec 8 03:02:40 PST 2005


> pass in all
> pass out all

I think you can do that with one rule.

pass all

You can also tighten the tcp rule by specifying "flags S/SA"... the
state will take care of the rest of the packets.  This prevents
ack-scanning.

You might also consider "antispoof" rules on the interfaces, but that
is a kind of blocking, so maybe you don't want it after all.

Overall this ruleset and your needs are so simple there's not much to
suggest.  Maybe try list versus tables to see the speed difference,
but other than that...
--
http://www.lightconsulting.com/~travis/  -><- Knight of the Lambda Calculus
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B


More information about the freebsd-pf mailing list